multimodel-dev-os 3.2.0 → 3.5.0

package/tests/fixtures/signed-registries/tampered-manifest/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-valid"
+    signature: "MCowBQYDK2VwAyEA9vWwyE5+fY0dvEzl9S1UcvtoMkOAIDhDCzZAkP+CVNo="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/trusted-keys.yaml

@@ -0,0 +1,23 @@
+
+# MultiModel Dev OS Test-Only Trusted Keys Fixture
+# WARNING: These keys are for unit testing and E2E verification validation only.
+# DO NOT USE IN PRODUCTION.
+trusted_publishers:
+  - key_id: test-key-valid
+    name: "Mock Valid Publisher"
+    algorithm: ed25519
+    public_key: "MCowBQYDK2VwAyEAU1uu8t1/5aXZRvNDNkKpBRJ2SgkKJtlX6pMmuF90tx8="
+    scopes: ["registry"]
+    status: "active"
+  - key_id: test-key-revoked
+    name: "Mock Revoked Publisher"
+    algorithm: ed25519
+    public_key: "MCowBQYDK2VwAyEAvcxhJeWu5VSDxdAva1GwtzgWspYFJ9U1TRJ1a7bUyRA="
+    scopes: ["registry"]
+    status: "revoked"
+  - key_id: test-key-disabled
+    name: "Mock Disabled Publisher"
+    algorithm: ed25519
+    public_key: "MCowBQYDK2VwAyEA9uWCD3w/zkUoQ9RTpQUZ52sib3ctl3fre1PZZowVmvg="
+    scopes: ["registry"]
+    status: "disabled"

package/tests/fixtures/signed-registries/unsigned-remote-required/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/unsigned-remote-required/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Unsigned remote registries are not allowed by policy."
+  ]
+}

package/tests/fixtures/signed-registries/unsigned-remote-required/registry-manifest.yaml

@@ -0,0 +1,9 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"

package/tests/fixtures/signed-registries/unsupported-algorithm/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/unsupported-algorithm/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Signature algorithm 'rsa-sha256' is not allowed by policy (allowed: ed25519, hmac-sha256)."
+  ]
+}

package/tests/fixtures/signed-registries/unsupported-algorithm/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "rsa-sha256"
+    key_id: "test-key-valid"
+    signature: "mock-sig"
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/valid-signed-registry/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/valid-signed-registry/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "trusted",
+  "signature_status": "verified",
+  "trusted_publisher_status": "trusted",
+  "errors": [],
+  "warnings": []
+}

package/tests/fixtures/signed-registries/valid-signed-registry/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-valid"
+    signature: "CjhqbNnmTh9wzBTBRlnkaCjZDTvxj8rImdtwOQIBOu0I+kCd8ec3x/jcNvJesy/Fqd2yl70vToqKAiVxD0GVAQ=="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/fixtures/signed-registries/wrong-key/catalog.yaml

@@ -0,0 +1,8 @@
+
+# Catalog fixture
+catalog:
+  plugins:
+    - slug: test-plugin
+      version: 1.0.0
+      name: Test Plugin
+      description: A mock plugin for testing

package/tests/fixtures/signed-registries/wrong-key/expected-verdict.json

@@ -0,0 +1,7 @@
+{
+  "final_status": "untrusted",
+  "signature_status": "failed",
+  "errors": [
+    "Key ID 'test-key-wrong' not found in trust store."
+  ]
+}

package/tests/fixtures/signed-registries/wrong-key/registry-manifest.yaml

@@ -0,0 +1,14 @@
+registry_name: "test-fixture-registry"
+publisher: "Mock Valid Publisher"
+version: "1.0.0"
+generated_at: "2026-06-20T12:00:00Z"
+minimum_mmdo_version: "3.2.0"
+safety_policy_version: "1.0.0"
+catalog_hash: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+files_hashes:
+    catalog.yaml: "sha256:289e7ff82e8037b27471990d4106f76e7f8e44e26aeb049787c185a30249420e"
+signature:
+    algorithm: "ed25519"
+    key_id: "test-key-wrong"
+    signature: "XChca7Nje+hM8QPfHHL8iwVjW8mL9wOeNhZBOo0hloV5CHhaFH9qm0k5e2xvFLMLOc3j+8CMCqJozPdWgiqxBw=="
+    signed_fields: ["registry_name", "publisher", "version", "generated_at", "catalog_hash", "minimum_mmdo_version", "safety_policy_version"]

package/tests/unit/registry-e2e-signature-fixtures.test.js

@@ -0,0 +1,288 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { readFileSync, mkdirSync, writeFileSync, copyFileSync, rmSync, existsSync } from 'fs';
+import { join } from 'path';
+import { execSync } from 'child_process';
+import { verifySignatureBlock } from '../../src/registry/signing.js';
+import { parseYaml } from '../../src/core/yaml.js';
+import { createTrustVerdict } from '../../src/registry/verdict.js';
+
+const fixturesDir = join(process.cwd(), 'tests', 'fixtures', 'signed-registries');
+
+// Helper to load trust store from YAML fixture
+function loadFixtureTrustedKeys() {
+  const content = readFileSync(join(fixturesDir, 'trusted-keys.yaml'), 'utf8');
+  const parsed = parseYaml(content);
+  return parsed.trusted_publishers || [];
+}
+
+// Helper to load registry manifest from fixture
+function loadFixtureManifest(folderName) {
+  const content = readFileSync(join(fixturesDir, folderName, 'registry-manifest.yaml'), 'utf8');
+  return parseYaml(content);
+}
+
+// Helper to load expected verdict
+function loadExpectedVerdict(folderName) {
+  const content = readFileSync(join(fixturesDir, folderName, 'expected-verdict.json'), 'utf8');
+  return JSON.parse(content);
+}
+
+describe('Registry E2E Signatures — Fixtures Validation', () => {
+  const trustedKeys = loadFixtureTrustedKeys();
+
+  it('valid-signed-registry passes verification', () => {
+    const manifest = loadFixtureManifest('valid-signed-registry');
+    const policy = {
+      allow_unsigned_remote: false,
+      require_signature: true,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(true);
+    expect(res.status).toBe('verified');
+
+    // Create structured verdict
+    const verdict = createTrustVerdict({
+      source: source.name,
+      source_type: source.type,
+      manifest_hash_status: 'verified',
+      catalog_hash_status: 'verified',
+      lockfile_status: 'present',
+      provenance_status: 'matched',
+      signature_status: 'verified',
+      trusted_publisher_status: 'trusted',
+      errors: res.errors || [],
+      warnings: [],
+      final_status: 'trusted'
+    });
+
+    const expected = loadExpectedVerdict('valid-signed-registry');
+    expect(verdict.final_status).toBe(expected.final_status);
+    expect(verdict.signature_status).toBe(expected.signature_status);
+    expect(verdict.trusted_publisher_status).toBe(expected.trusted_publisher_status);
+  });
+
+  it('tampered-manifest fails verification', () => {
+    const manifest = loadFixtureManifest('tampered-manifest');
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('Invalid Ed25519 signature');
+
+    const expected = loadExpectedVerdict('tampered-manifest');
+    expect(res.errors[0]).toContain(expected.errors[0]);
+  });
+
+  it('changed catalog hash fails verification', () => {
+    const manifest = loadFixtureManifest('valid-signed-registry');
+    // Modify catalog_hash after signing
+    manifest.catalog_hash = 'sha256:1111111111111111111111111111111111111111111111111111111111111111';
+    
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('Invalid Ed25519 signature');
+  });
+
+  it('wrong trusted key fails verification', () => {
+    const manifest = loadFixtureManifest('wrong-key');
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('not found in trust store');
+
+    const expected = loadExpectedVerdict('wrong-key');
+    expect(res.errors[0]).toContain(expected.errors[0]);
+  });
+
+  it('revoked key fails verification', () => {
+    const manifest = loadFixtureManifest('revoked-key');
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('is revoked (must be active)');
+
+    const expected = loadExpectedVerdict('revoked-key');
+    expect(res.errors[0]).toContain(expected.errors[0]);
+  });
+
+  it('disabled key fails verification', () => {
+    const manifest = loadFixtureManifest('valid-signed-registry');
+    // Mutate the valid manifest key_id to test-key-disabled
+    manifest.signature.key_id = 'test-key-disabled';
+    
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('is disabled (must be active)');
+  });
+
+  it('scope mismatch fails verification', () => {
+    const manifest = loadFixtureManifest('valid-signed-registry');
+    
+    // Create a trust store where valid-key has scope mismatch (e.g. only 'plugin' scope)
+    const customTrustedKeys = trustedKeys.map(k => {
+      if (k.key_id === 'test-key-valid') {
+        return { ...k, scopes: ['plugin'] };
+      }
+      return k;
+    });
+
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys: customTrustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('does not have required scope');
+  });
+
+  it('unsigned remote registry fails verification when allow_unsigned_remote is false', () => {
+    const manifest = loadFixtureManifest('unsigned-remote-required');
+    const policy = {
+      allow_unsigned_remote: false,
+      require_signature: false,
+      allowed_signature_algorithms: ['ed25519']
+    };
+    const source = { name: 'official', type: 'remote' };
+
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.error).toContain('Unsigned remote registries are not allowed');
+
+    const expected = loadExpectedVerdict('unsigned-remote-required');
+    expect(res.error).toContain(expected.errors[0]);
+  });
+
+  it('unsupported algorithm fails verification', () => {
+    const manifest = loadFixtureManifest('unsupported-algorithm');
+    const policy = {
+      allow_unsigned_remote: false,
+      allowed_signature_algorithms: ['ed25519', 'hmac-sha256']
+    };
+    const source = { name: 'official', type: 'remote' };
+    const res = verifySignatureBlock({ manifest, trustedKeys, policy, source });
+    expect(res.verified).toBe(false);
+    expect(res.status).toBe('failed');
+    expect(res.errors[0]).toContain('Signature algorithm \'rsa-sha256\' is not allowed by policy');
+
+    const expected = loadExpectedVerdict('unsupported-algorithm');
+    expect(res.errors[0]).toContain(expected.errors[0]);
+  });
+});
+
+describe('Registry CLI Integration E2E Tests', () => {
+  const tempCliDir = join(process.cwd(), 'tests', 'fixtures', 'temp-cli-trust');
+  const cliPath = join(process.cwd(), 'bin', 'multimodel-dev-os.js');
+
+  beforeAll(() => {
+    if (existsSync(tempCliDir)) {
+      rmSync(tempCliDir, { recursive: true, force: true });
+    }
+    mkdirSync(join(tempCliDir, '.ai', 'registries'), { recursive: true });
+    copyFileSync(
+      join(fixturesDir, 'trusted-keys.yaml'),
+      join(tempCliDir, '.ai', 'registries', 'trusted-keys.yaml')
+    );
+    copyFileSync(
+      join(process.cwd(), 'examples', 'general-app', '.ai', 'config.yaml'),
+      join(tempCliDir, '.ai', 'config.yaml')
+    );
+  });
+
+  afterAll(() => {
+    if (existsSync(tempCliDir)) {
+      rmSync(tempCliDir, { recursive: true, force: true });
+    }
+  });
+
+  const stripAnsi = (str) => str.replace(/[\u001b\u009b][[()#;?]*(?:[0-9]{1,4}(?:;[0-9]{0,4})*)?[0-9A-ORZcf-nqry=><]/g, '');
+
+  it('registry trust list outputs keys from trust store', () => {
+    const rawOutput = execSync(`node ${cliPath} registry trust list --target ${tempCliDir}`, { encoding: 'utf8' });
+    const output = stripAnsi(rawOutput);
+    expect(output).toContain('test-key-valid');
+    expect(output).toContain('test-key-revoked');
+    expect(output).toContain('test-key-disabled');
+    expect(output).toContain('Total Keys:       3');
+  });
+
+  it('registry trust show test-key-valid outputs correct key details', () => {
+    const rawOutput = execSync(`node ${cliPath} registry trust show test-key-valid --target ${tempCliDir}`, { encoding: 'utf8' });
+    const output = stripAnsi(rawOutput);
+    expect(output).toContain('Key ID:         test-key-valid');
+    expect(output).toContain('Publisher:      Mock Valid Publisher');
+    expect(output).toContain('Algorithm:      ed25519');
+    expect(output).toContain('Public Key:');
+    expect(output).toContain('MCowBQYDK2VwAyE');
+  });
+
+  it('registry trust verify validates format of keys in trust store', () => {
+    const rawOutput = execSync(`node ${cliPath} registry trust verify --target ${tempCliDir}`, { encoding: 'utf8' });
+    const output = stripAnsi(rawOutput);
+    expect(output).toContain("Key 'test-key-valid' public key format is valid.");
+    expect(output).toContain("Key 'test-key-revoked' public key format is valid.");
+    expect(output).toContain("Key 'test-key-disabled' public key format is valid.");
+    expect(output).toContain('Trust store verification passed.');
+  });
+
+  it('registry verify bundled passes', () => {
+    const rawOutput = execSync(`node ${cliPath} registry verify bundled --target ${tempCliDir}`, { encoding: 'utf8' });
+    const output = stripAnsi(rawOutput);
+    expect(output).toContain('Final Trust:        ✓ Verified (Implicit local trust)');
+  });
+
+  it('registry status displays security/signature policy', () => {
+    const rawOutput = execSync(`node ${cliPath} registry status --target ${tempCliDir}`, { encoding: 'utf8' });
+    const output = stripAnsi(rawOutput);
+    expect(output).toContain('Policy State:');
+    expect(output).toContain('require_signature:');
+    expect(output).toContain('allow_unsigned_remote:');
+  });
+
+  it('registry sync fails safely without approval', () => {
+    try {
+      execSync(`node ${cliPath} registry sync official --target ${tempCliDir}`, { encoding: 'utf8', stdio: 'pipe' });
+      throw new Error('Should have failed');
+    } catch (err) {
+      expect(err.message).toContain('Command failed');
+    }
+  });
+});
+

package/tests/unit/registry-policy.test.js

@@ -24,6 +24,12 @@ describe('Registry Policy Engine', () => {
     expect(policy.allow_http_localhost).toBe(false);
     expect(policy.require_checksum).toBe(true);
     expect(policy.allowed_write_roots).toEqual(['.ai/', 'adapters/']);
+    expect(policy.allow_unsigned_local).toBe(true);
+    expect(policy.allow_unsigned_bundled).toBe(true);
+    expect(policy.allow_unsigned_remote).toBe(false);
+    expect(policy.require_trusted_publisher).toBe(false);
+    expect(policy.provenance_required).toBe(true);
+    expect(policy.allowed_signature_algorithms).toEqual(['ed25519', 'hmac-sha256']);
   });
 
   it('should override default fields with written policy configurations', () => {

package/tests/unit/registry-provenance.test.js

@@ -0,0 +1,185 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
+import { existsSync, mkdirSync, rmSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import {
+  loadRegistryLockfile,
+  saveRegistryLockfile,
+  updateLockfileEntry,
+  getLockfilePath
+} from '../../src/registry/provenance.js';
+
+const tempDir = join(process.cwd(), 'temp-provenance-test');
+
+describe('Registry Provenance — loadRegistryLockfile', () => {
+  beforeAll(() => {
+    mkdirSync(tempDir, { recursive: true });
+  });
+
+  afterAll(() => {
+    if (existsSync(tempDir)) {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  });
+
+  it('returns an empty well-formed structure when no lockfile exists', () => {
+    const result = loadRegistryLockfile(tempDir);
+    expect(result).toEqual({
+      lockfile_version: '1',
+      generated_at: '',
+      entries: {}
+    });
+  });
+
+  it('returns empty structure if lockfile JSON is malformed', () => {
+    const aiDir = join(tempDir, '.ai');
+    mkdirSync(aiDir, { recursive: true });
+    writeFileSync(join(aiDir, 'registry-lock.json'), 'NOT VALID JSON', 'utf8');
+    const result = loadRegistryLockfile(tempDir);
+    expect(result.entries).toEqual({});
+  });
+
+  it('returns empty structure if lockfile JSON has no entries field', () => {
+    const aiDir = join(tempDir, '.ai');
+    mkdirSync(aiDir, { recursive: true });
+    writeFileSync(join(aiDir, 'registry-lock.json'), JSON.stringify({ lockfile_version: '1' }), 'utf8');
+    const result = loadRegistryLockfile(tempDir);
+    expect(result.entries).toEqual({});
+  });
+});
+
+
+describe('Registry Provenance — updateLockfileEntry', () => {
+  it('upserts a new entry into an empty lockfile', () => {
+    const lockfile = { lockfile_version: '1', generated_at: '', entries: {} };
+    const entry = {
+      url: 'https://example.com/catalog.yaml',
+      synced_at: '2026-01-01T00:00:00.000Z',
+      catalog_sha256: 'abc123',
+      manifest_sha256: null,
+      signature: null,
+      signature_alg: 'hmac-sha256'
+    };
+    updateLockfileEntry(lockfile, 'official', entry);
+    expect(lockfile.entries['official']).toBeDefined();
+    expect(lockfile.entries['official'].url).toBe('https://example.com/catalog.yaml');
+    expect(lockfile.entries['official'].catalog_sha256).toBe('abc123');
+    expect(lockfile.entries['official'].signature).toBeNull();
+  });
+
+  it('overwrites an existing entry for the same registry name', () => {
+    const lockfile = {
+      lockfile_version: '1',
+      generated_at: '',
+      entries: {
+        official: {
+          url: 'https://old.example.com/catalog.yaml',
+          synced_at: '2025-01-01T00:00:00.000Z',
+          catalog_sha256: 'oldhash',
+          manifest_sha256: null,
+          signature: null,
+          signature_alg: 'hmac-sha256'
+        }
+      }
+    };
+    updateLockfileEntry(lockfile, 'official', {
+      url: 'https://new.example.com/catalog.yaml',
+      synced_at: '2026-06-01T00:00:00.000Z',
+      catalog_sha256: 'newhash',
+      manifest_sha256: 'mhash',
+      signature: 'sig123',
+      signature_alg: 'hmac-sha256'
+    });
+    expect(lockfile.entries['official'].catalog_sha256).toBe('newhash');
+    expect(lockfile.entries['official'].signature).toBe('sig123');
+    expect(lockfile.entries['official'].url).toBe('https://new.example.com/catalog.yaml');
+  });
+
+  it('stores null for optional fields when not provided', () => {
+    const lockfile = { lockfile_version: '1', generated_at: '', entries: {} };
+    updateLockfileEntry(lockfile, 'test', {
+      url: 'https://example.com/catalog.yaml',
+      catalog_sha256: 'hash1'
+    });
+    expect(lockfile.entries['test'].manifest_sha256).toBeNull();
+    expect(lockfile.entries['test'].signature).toBeNull();
+    expect(lockfile.entries['test'].signature_alg).toBe('hmac-sha256');
+    expect(lockfile.entries['test'].public_signature_status).toBeNull();
+    expect(lockfile.entries['test'].public_signature_algorithm).toBeNull();
+    expect(lockfile.entries['test'].public_signature_key_id).toBeNull();
+    expect(lockfile.entries['test'].trusted_publisher_status).toBeNull();
+    expect(lockfile.entries['test'].trust_store_path).toBeNull();
+    expect(lockfile.entries['test'].trust_verdict).toBeNull();
+    expect(lockfile.entries['test'].lockfile_verdict).toBeNull();
+    expect(lockfile.entries['test'].verification_errors).toEqual([]);
+    expect(lockfile.entries['test'].verification_warnings).toEqual([]);
+  });
+
+  it('initialises entries object if missing from lockfile', () => {
+    const lockfile = { lockfile_version: '1', generated_at: '' };
+    updateLockfileEntry(lockfile, 'test', {
+      url: 'https://example.com/catalog.yaml',
+      catalog_sha256: 'hash1'
+    });
+    expect(lockfile.entries).toBeDefined();
+    expect(lockfile.entries['test']).toBeDefined();
+  });
+});
+
+describe('Registry Provenance — saveRegistryLockfile + round-trip', () => {
+  const roundTripDir = join(process.cwd(), 'temp-provenance-roundtrip');
+
+  beforeEach(() => {
+    mkdirSync(roundTripDir, { recursive: true });
+  });
+
+  afterAll(() => {
+    if (existsSync(roundTripDir)) {
+      rmSync(roundTripDir, { recursive: true, force: true });
+    }
+  });
+
+  it('writes and re-reads the lockfile with correct content', () => {
+    const lockfile = { lockfile_version: '1', generated_at: '', entries: {} };
+    updateLockfileEntry(lockfile, 'alpha', {
+      url: 'https://alpha.example.com/catalog.yaml',
+      synced_at: '2026-06-01T10:00:00.000Z',
+      catalog_sha256: 'deadbeef',
+      manifest_sha256: 'cafe1234',
+      signature: 'sig_hex_abc',
+      signature_alg: 'hmac-sha256'
+    });
+    saveRegistryLockfile(roundTripDir, lockfile);
+
+    const reloaded = loadRegistryLockfile(roundTripDir);
+    expect(reloaded.lockfile_version).toBe('1');
+    expect(reloaded.generated_at).toBeTruthy();
+    expect(reloaded.entries['alpha'].catalog_sha256).toBe('deadbeef');
+    expect(reloaded.entries['alpha'].signature).toBe('sig_hex_abc');
+    expect(reloaded.entries['alpha'].manifest_sha256).toBe('cafe1234');
+  });
+
+  it('getLockfilePath returns the expected path', () => {
+    const expectedPath = join(roundTripDir, '.ai', 'registry-lock.json');
+    expect(getLockfilePath(roundTripDir)).toBe(expectedPath);
+  });
+
+  it('round-trip is idempotent for multiple saves', () => {
+    const lockfile1 = { lockfile_version: '1', generated_at: '', entries: {} };
+    updateLockfileEntry(lockfile1, 'beta', {
+      url: 'https://beta.example.com/catalog.yaml',
+      catalog_sha256: 'hash_beta'
+    });
+    saveRegistryLockfile(roundTripDir, lockfile1);
+
+    const lockfile2 = loadRegistryLockfile(roundTripDir);
+    updateLockfileEntry(lockfile2, 'gamma', {
+      url: 'https://gamma.example.com/catalog.yaml',
+      catalog_sha256: 'hash_gamma'
+    });
+    saveRegistryLockfile(roundTripDir, lockfile2);
+
+    const reloaded = loadRegistryLockfile(roundTripDir);
+    expect(reloaded.entries['beta'].catalog_sha256).toBe('hash_beta');
+    expect(reloaded.entries['gamma'].catalog_sha256).toBe('hash_gamma');
+  });
+});